BSI ADV Transition Guide. from CC V2.3 to CC V3.1. Miriam Serowy. Bundesamt für Sicherheit in der Informationstechnik /

Transcription

1 BSI ADV Transition Guide from CC V2.3 to CC V3.1 Miriam Serowy Bundesamt für Sicherheit in der Informationstechnik / Federal Office for Information Security 8 th ICCC Rome / September 2007

2 Agenda General Information about the Guide BSI Migration Support Motivation Introduction / Project Data / Project Goals Structure of the ADV Transition Guide How to use the Guide Major differences in ADV between CCv2 and CCv3 FSP as an example applying the Guide Where to get the Guide Miriam Serowy September 2007 Slide 2

3 BSI CCv3 Migration Support Guide for the Transition from CCv2 to CCv3 for ADV requirements (this presentation) BSI PP/ST Guide (8 th ICCC, presentation by Frank Grefrath) Guidelines for CCv3 developer documentation (8 th ICCC, presentation by Christian Krause) Guidelines for writing CCv3 evaluation reports (under development) ALC Transition Guide (provided in parallel to BSI CCv3 ALC development) Miriam Serowy September 2007 Slide 3

4 Motivation Common Criteria Transition Period ends March 2008 for new products September 2009 for products under re-evaluation Number of Certificates per year 80 is steadily increasing About 50% are Re-Certifications Estimation that products 30 will change from CCv2 to CCv until Number of BSI CC-Certificates Guidance is needed for efficient migration!! Miriam Serowy September 2007 Slide 4

5 ADV Transition - Introduction BSI project with a time frame of 11 months Project start: November 2006 Project end: October 2007 Project Team: BSI and evaluation facility (atsec) Project Approach: Analysis of the differences between CCv2 and CCv3 for each ADV assurance family Compilation of the ADV Transition Guide, taking into consideration the results of the previous analyses Miriam Serowy September 2007 Slide 5

6 Goals and Target Audience Project Goals: A guide to make the ADV migration from CCv2 to CCv3 as efficient as possible Guide applicable for SW and HW products Guidance for EAL1 to EAL4 (extension for EAL5 in progress) Target Audience: Developers that have performed a CCv2 evaluation and now want to start a CCv3 evaluation for a new version of the product Evaluators to have a guidance how to re-use evidence of a CCv2 evaluation in a CCv3 re-evaluation Profound CCv2 knowledge is expected Miriam Serowy September 2007 Slide 6

7 Structure of the ADV Transition Guide The ADV Transition Guide contains the following elements: General introduction Explanation of how to use the Guide For each ADV family (ARC, FSP, TDS, IMP): Background information about the family purpose Discussion about general changes concerning the family Mapping between CCv3 and CCv2 assurance components (on CEM workunit level for EAL1 to EAL4) Discussion on CCv2 workunits that are no longer part of CCv3 (if applicable) Miriam Serowy September 2007 Slide 7

8 How to use - Developer Following steps to migrate evidence from CCv2 to CCv3: Identify target EAL of CCv3 and ADV assurance components included (e.g. EAL2) Identify corresponding CCv2 components using table 3 of the Guide (e.g. the guide tells that CCv3 FSP.2 corresponds to CCv2 FSP.1 and RCR.1) Verify that corresponding CCv2 components were included in CCv2 evaluation Read the Background and Discussion sections of the Ccv3 assurance components to find out differences and new aspects Check and update evidence as suggested by the Guide Miriam Serowy September 2007 Slide 8

9 How to use - Evaluator Following steps to re-use evaluation work Read the Background and Discussion sections of an assurance component to find out general differences between CCv3 and CCv2 Identify for each CCv3 workunit the corresponding CCv2 workunits Read CEM workunit mapping to find out which CCv2 evaluation work can be re-used or may provide useful input for CCv3 work or whether a new analysis is required Miriam Serowy September 2007 Slide 9

10 Major differences in ADV between CCv2 and CCv3 New ADV_ARC (security architecture description) family concerning TSF properties like TSF-protection and nonbypassability of the TSF Larger amount of FSP components to ensure continously increasing requirements over assurance level New ADV_TDS (TOE design) family combines requirements from CCv2 HLD and LLD families New ADV_FSP, ADV_TDS, ADV_IMP components contain ADV_RCR requirements Only one ADV_SPM (formal TOE security policy model) component remaining for EAL6 and above New TSF entity categorisation (SFR-enforcing, SFR-supporting, SFR non-interfering) Miriam Serowy September 2007 Slide 10

11 Applying the Guide (migrating FSP for EAL2)? Identify target EAL of CCv3 and ADV assurance components included (e.g. EAL2)? Assurance class Development Assurance Family Assurance Components by Evaluation Assurance Level EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7 ADV_ARC ADV_FSP ADV_IMP ADV_INT ADV_SPM 1 1 ADV_TDS ADV_FSP.2 is the targeted assurance component for EAL2 Miriam Serowy September 2007 Slide 11

12 Corresponding CCv2 requirements CC V3.1 CC V2.3 ADV_ARC.1 - Identify corresponding CCv2 components using table 3 of the Guide ADV_FSP.1 ADV_FSP.1 ADV_RCR.1 ADV_FSP.2 ADV_FSP.1 ADV_RCR.1 ADV_FSP.3 ADV_FSP.1 ADV_RCR.1 The Guide tells that CCv3 FSP.2 corresponds to CCv2 FSP.1 and RCR.1 ADV_FSP.4 ADV_FSP.2 ADV_RCR.1 ADV_TDS.1 ADV_HLD.1 ADV_RCR.1 ADV_TDS.2 ADV_HLD.2 ADV_RCR.1 ADV_TDS.3 ADV_HLD.2 ADV_LLD.1 ADV_RCR.1 ADV_IMP.1 ADV_IMP.1 ADV_RCR.1 - ADV_SPM.1 Miriam Serowy September 2007 Slide 12

13 General Background for CCv3 FSP As Background for ADV_FSP the Guide tells what the purpose of an FSP analysis is that there is no difference in the FSP purpose between CCv2 and CCv3 that the CCv3 FSP is more granular (contains more FSP components) that a new concept of categorising TSFI into SFRenforcing, SFR-supporting and SFR non-interfering has been introduced that the way of describing TSFIs has slightly changed Miriam Serowy September 2007 Slide 13

14 General Discussion for CCv3 FSP The ADV_FSP discussion addresses e.g.... how the CCv3 FSP components are spread over the EALs what is required in the different FSP components and how the requirements increase how CCv3 defines a TSFI and what the potential differences are in the TSFI scope compared to CCv2 that the TSFI are no longer mapped to the TSF as described in ASE_TSS but to the SFRs in the ST... and provides hints where and how CCv2 evidence may be re-usable Miriam Serowy September 2007 Slide 14

15 FSP.2 workunit comparison CC Requirement CC/CEM v3.1 CC/CEM v2.3 CEM Work Unit CEM Work Unit Comment ADV_FSP.2.1E ADV_FSP.2.1C ADV_FSP.2-1 ADV_FSP.1-6 identical ADV_FSP.2.2C ADV_FSP.2-2 ADV_FSP.1-5 essence ADV_FSP.2-3 ADV_FSP.1-5 may contribute ADV_FSP.2.3C ADV_FSP.2-4 ADV_FSP.1-5 essence ADV_FSP.2-5 ADV_FSP.1-5 essence ADV_FSP.2.4C ADV_FSP.2-6 ADV_FSP.1-5 essence ADV_FSP.2.5C ADV_FSP.2-7 ADV_FSP.1-5 essence ADV_FSP.2.6C ADV_FSP.2-8 ADV_RCR.1-1 essence ADV_FSP.2.2E ADV_FSP.2-9 ADV_FSP.1-7 identical ADV_FSP.2-10 ADV_FSP.1-8 identical Miriam Serowy September 2007 Slide 15

16 ADV_FSP.2-4/5 Example ADV_FSP.2.3C The functional specification shall identify and describe all parameters associated with each TSFI. ADV_FSP.2-4 The evaluator shall examine the presentation of the TSFI to determine that it completely identifies all parameters associated with every TSFI. ADV_FSP.2-5 The evaluator shall examine the presentation of the TSFI to determine that it completely and accurately describes all parameters associated with every TSFI. Related work units from CC V2.3 ADV_FSP.1-5 The evaluator shall examine the presentation of the TSFI to determine that it adequately and correctly describes the behaviour of the TOE at each external interface describing effects, exceptions and error messages. Miriam Serowy September 2007 Slide 16

17 ADV_FSP.2-4/5 Example cont. Guide provides the following detailed discussion for the workunits FSP.2-4 and FSP.2-5: Parameter of all TSFI have to be described. May require additional evidence and evaluation work since this is stricter than in CCv2. Parameters have to be described completely and accurately. Requires additional evidence and analysis since CCv2 required only identification of security-relevant parameters. Completeness of description may be hard to verify with only EAL2 evidence available. (Implementation Representation not necessarily available) Miriam Serowy September 2007 Slide 17

18 Where to get the Guide Final version of the ADV Transition Guide will be published on the BSI web site under: Guide is used as input for several international activities Please note that this is a BSI Guide. This means: Usage of the Guide is not mandatory The Guide reflects the BSI perception of the CCv3 ADV class In case of doubt the statements in CCv3 and CEM precedes any advice given by the Guide Miriam Serowy September 2007 Slide 18

19 Contact Information Bundesamt für Sicherheit in der Informationstechnik (BSI) / Federal Office for Information Security Godesberger Allee Bonn Miriam Serowy Tel: +49 (0) Fax: +49 (0) miriam.serowy@bsi.bund.de Miriam Serowy September 2007 Slide 19